mirror of
https://git.openldap.org/openldap/openldap.git
synced 2025-01-06 10:46:21 +08:00
Change slap_sasl_authorized to take an Operation instead of a Connection,
for compatibility with proxyAuthz control
This commit is contained in:
parent
83f0acc1d8
commit
9dace23dec
@ -740,7 +740,7 @@ static int parseProxyAuthz (
|
|||||||
dn.bv_len ? dn.bv_val : "(NULL)", 0 );
|
dn.bv_len ? dn.bv_val : "(NULL)", 0 );
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
rc = slap_sasl_authorized( op->o_conn, &op->o_ndn, &dn );
|
rc = slap_sasl_authorized( op, &op->o_ndn, &dn );
|
||||||
|
|
||||||
if( rc ) {
|
if( rc ) {
|
||||||
ch_free( dn.bv_val );
|
ch_free( dn.bv_val );
|
||||||
|
@ -869,7 +869,7 @@ LDAP_SLAPD_F (void) slap_sasl2dn LDAP_P((
|
|||||||
struct berval *saslname,
|
struct berval *saslname,
|
||||||
struct berval *dn ));
|
struct berval *dn ));
|
||||||
LDAP_SLAPD_F (int) slap_sasl_authorized LDAP_P((
|
LDAP_SLAPD_F (int) slap_sasl_authorized LDAP_P((
|
||||||
Connection *conn,
|
Operation *op,
|
||||||
struct berval *authcid,
|
struct berval *authcid,
|
||||||
struct berval *authzid ));
|
struct berval *authzid ));
|
||||||
LDAP_SLAPD_F (int) slap_sasl_regexp_config LDAP_P((
|
LDAP_SLAPD_F (int) slap_sasl_regexp_config LDAP_P((
|
||||||
|
@ -752,7 +752,7 @@ slap_sasl_authorize(
|
|||||||
|
|
||||||
AC_MEMCPY( &authzDN, auxvals[1].values[0], sizeof(authzDN) );
|
AC_MEMCPY( &authzDN, auxvals[1].values[0], sizeof(authzDN) );
|
||||||
|
|
||||||
rc = slap_sasl_authorized( conn, &authcDN, &authzDN );
|
rc = slap_sasl_authorized( conn->c_sasl_bindop, &authcDN, &authzDN );
|
||||||
ch_free( authcDN.bv_val );
|
ch_free( authcDN.bv_val );
|
||||||
if ( rc != LDAP_SUCCESS ) {
|
if ( rc != LDAP_SUCCESS ) {
|
||||||
#ifdef NEW_LOGGING
|
#ifdef NEW_LOGGING
|
||||||
@ -867,7 +867,7 @@ slap_sasl_authorize(
|
|||||||
return SASL_NOAUTHZ;
|
return SASL_NOAUTHZ;
|
||||||
}
|
}
|
||||||
|
|
||||||
rc = slap_sasl_authorized(conn, &authcDN, &authzDN );
|
rc = slap_sasl_authorized(conn->c_sasl_bindop, &authcDN, &authzDN );
|
||||||
ch_free( authcDN.bv_val );
|
ch_free( authcDN.bv_val );
|
||||||
if( rc ) {
|
if( rc ) {
|
||||||
#ifdef NEW_LOGGING
|
#ifdef NEW_LOGGING
|
||||||
|
@ -490,7 +490,7 @@ CONCLUDED:
|
|||||||
* The DNs should not have the dn: prefix
|
* The DNs should not have the dn: prefix
|
||||||
*/
|
*/
|
||||||
static int
|
static int
|
||||||
slap_sasl_check_authz( Connection *conn,
|
slap_sasl_check_authz( Operation *op,
|
||||||
struct berval *searchDN,
|
struct berval *searchDN,
|
||||||
struct berval *assertDN,
|
struct berval *assertDN,
|
||||||
AttributeDescription *ad,
|
AttributeDescription *ad,
|
||||||
@ -509,19 +509,19 @@ slap_sasl_check_authz( Connection *conn,
|
|||||||
assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
|
assertDN->bv_val, ad->ad_cname.bv_val, searchDN->bv_val);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
rc = backend_attribute( conn->c_sasl_bindop, NULL,
|
rc = backend_attribute( op, NULL,
|
||||||
searchDN, ad, &vals );
|
searchDN, ad, &vals );
|
||||||
if( rc != LDAP_SUCCESS ) goto COMPLETE;
|
if( rc != LDAP_SUCCESS ) goto COMPLETE;
|
||||||
|
|
||||||
/* Check if the *assertDN matches any **vals */
|
/* Check if the *assertDN matches any **vals */
|
||||||
for( i=0; vals[i].bv_val != NULL; i++ ) {
|
for( i=0; vals[i].bv_val != NULL; i++ ) {
|
||||||
rc = slap_sasl_match( conn->c_sasl_bindop, &vals[i], assertDN, authc );
|
rc = slap_sasl_match( op, &vals[i], assertDN, authc );
|
||||||
if ( rc == LDAP_SUCCESS ) goto COMPLETE;
|
if ( rc == LDAP_SUCCESS ) goto COMPLETE;
|
||||||
}
|
}
|
||||||
rc = LDAP_INAPPROPRIATE_AUTH;
|
rc = LDAP_INAPPROPRIATE_AUTH;
|
||||||
|
|
||||||
COMPLETE:
|
COMPLETE:
|
||||||
if( vals ) ber_bvarray_free_x( vals, conn->c_sasl_bindop->o_tmpmemctx );
|
if( vals ) ber_bvarray_free_x( vals, op->o_tmpmemctx );
|
||||||
|
|
||||||
#ifdef NEW_LOGGING
|
#ifdef NEW_LOGGING
|
||||||
LDAP_LOG( TRANSPORT, RESULTS,
|
LDAP_LOG( TRANSPORT, RESULTS,
|
||||||
@ -645,7 +645,7 @@ FINISHED:
|
|||||||
* The DNs should not have the dn: prefix
|
* The DNs should not have the dn: prefix
|
||||||
*/
|
*/
|
||||||
|
|
||||||
int slap_sasl_authorized( Connection *conn,
|
int slap_sasl_authorized( Operation *op,
|
||||||
struct berval *authcDN, struct berval *authzDN )
|
struct berval *authcDN, struct berval *authzDN )
|
||||||
{
|
{
|
||||||
int rc = LDAP_INAPPROPRIATE_AUTH;
|
int rc = LDAP_INAPPROPRIATE_AUTH;
|
||||||
@ -673,14 +673,14 @@ int slap_sasl_authorized( Connection *conn,
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Allow the manager to authorize as any DN. */
|
/* Allow the manager to authorize as any DN. */
|
||||||
if( conn->c_authz_backend && be_isroot( conn->c_authz_backend, authcDN )) {
|
if( op->o_conn->c_authz_backend && be_isroot( op->o_conn->c_authz_backend, authcDN )) {
|
||||||
rc = LDAP_SUCCESS;
|
rc = LDAP_SUCCESS;
|
||||||
goto DONE;
|
goto DONE;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Check source rules */
|
/* Check source rules */
|
||||||
if( authz_policy & SASL_AUTHZ_TO ) {
|
if( authz_policy & SASL_AUTHZ_TO ) {
|
||||||
rc = slap_sasl_check_authz( conn, authcDN, authzDN,
|
rc = slap_sasl_check_authz( op, authcDN, authzDN,
|
||||||
slap_schema.si_ad_saslAuthzTo, authcDN );
|
slap_schema.si_ad_saslAuthzTo, authcDN );
|
||||||
if( rc == LDAP_SUCCESS ) {
|
if( rc == LDAP_SUCCESS ) {
|
||||||
goto DONE;
|
goto DONE;
|
||||||
@ -689,7 +689,7 @@ int slap_sasl_authorized( Connection *conn,
|
|||||||
|
|
||||||
/* Check destination rules */
|
/* Check destination rules */
|
||||||
if( authz_policy & SASL_AUTHZ_FROM ) {
|
if( authz_policy & SASL_AUTHZ_FROM ) {
|
||||||
rc = slap_sasl_check_authz( conn, authzDN, authcDN,
|
rc = slap_sasl_check_authz( op, authzDN, authcDN,
|
||||||
slap_schema.si_ad_saslAuthzFrom, authcDN );
|
slap_schema.si_ad_saslAuthzFrom, authcDN );
|
||||||
if( rc == LDAP_SUCCESS ) {
|
if( rc == LDAP_SUCCESS ) {
|
||||||
goto DONE;
|
goto DONE;
|
||||||
|
@ -227,7 +227,7 @@ int slap_sasl_getdn( Connection *conn, Operation *op, char *id, int len,
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
int slap_sasl_authorized( Connection *conn,
|
int slap_sasl_authorized( Operation *op,
|
||||||
struct berval *authcDN, struct berval *authzDN )
|
struct berval *authcDN, struct berval *authzDN )
|
||||||
{
|
{
|
||||||
return -1;
|
return -1;
|
||||||
|
Loading…
Reference in New Issue
Block a user